Scanning the Internet for Vulnerabilities

Carsten Bormann cabo at tzi.org
Mon Jun 20 21:27:31 UTC 2022


On 2022-06-20, at 23:02, Mel Beckman <mel at beckman.org> wrote:
> 
> Carsten,
> 
> The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators. 
> 
> Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited. 

Of course they don’t want their customers to do that.
(They might find out that the ISP is cooking with water…)
I’m not your customer, though.

> I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information they’re not authorized to. 

You would think so, but then it turns out the CFAA is not actually being policed in the way you think it should be.

(The whole thing is a bit of a “soviet law" situation, where everyone is routinely doing things that could theoretically be criminalized, but aren’t, except when some thug is exceptionally interested in doing so and can thus abuse the law to exert unreasonable power over you.)

So CFAA is more a case of us logical people trying to interpret a law that clearly is not subject to applying logic.

In any case, I’d argue I’m concludently authorized by you having opened to my access that port I’m probing — the computer simply isn’t “protected”.

                .oOo.

I can understand very well that everyone here is allergic to the large-scale scanners (most of which are done in a spectacularly stupid way) that are loading our servers.  That problem is not being solved by banning well-thought-out academic research; you wouldn’t be able to note the difference if that stopped.

(Oh, and, as a service, our ISP scans our ports and looks for vulns, which is a good service so we don’t have to do this as much for systems set up by our students.)

Grüße, Carsten



More information about the NANOG mailing list